Anonymous_User Absent Member.
Absent Member.
369 views

Windows Security events not making it to Sentinel


Hi there,
I hate to ask this but we are seeing inconsistent results on our WMI
connector to w2k3 DC. Some events are not making there way to Sentinel
7 though they are in the security log of the DC. We are only at a 4-5
EPS rate on any of the two DC's. No pre-filtering is being used on the
connector and no Sentinel routing rules are active that would drop
events. Should all events in the Security Event log be fair game to be
processed by the WECS server?

This was noticed during testing with intentional incorrect credentials
but not seeing the events in Sentinel. No errors in the swecs.log
either.

Thanks,
Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46223

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Windows Security events not making it to Sentinel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I know that there is a pre-release (not yet to the beta site I do not
think) collector which handles some events that were not being parsed
correctly... perhaps your events are the same ones. If so you can get
the pre-release collector from Novell/NetIQ if you open an SR with them
(should be refunded as this is a bug).

To go a more technical route, fire up the debugger and see what is
happening as those events are processed. Taking a step back, capture a
connector dump (for use later when replaying it for the debugger as
that's easier than causing failed logins over and over) and verify the
events you expect show up there since, if they do not, the problem is
not the collector at all but something earlier. Feel free to post your
Connector Dump output somewhere, maybe even in the forum between code
tags (see the forum help for more on those) and maybe we can figure it
out together by replaying events on our systems.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQrQmMAAoJEF+XTK08PnB5Ll4QALeAqfD9+sG0CjGgrKbIaBYD
uw4SqrbjdG8m91sP218MWjcXXr3sjey4unyvATqumpY2wkK1bnBAMqMLwSNt24NO
FtSMiLMqnAa0SsA29i6qhZJLEbWNsZzQ6pVpbLrS+N9cjOS1TEG3SD2Op5Efmmyb
1/0BVB9vD/3x6GLHdBwHdSt5uS/IssnhirzlMZxfop07vzrFF3f8iVuEi0tHgBWg
pXqjevbKLG2EPicCeP3CBawdFQB9p8SeF9MUbTvMR6MVJ7thQiTZDFA1G0T9yx3W
4RVndG0ciPub5iF1Is9FTlSjDtEee/RjNQp+qXvgNcrq3QGKDwo/M3MY4RHFYFuj
w/NdP6vIR1uGtGm7NeREFF5cCLRjhLZg1s8+ACfWvJg/UkG0ED+8ubbNun0D2rHd
lpmQIqGJhuAHz26KhzdAQGw0UDMwjHqtFO83T+fH6EF3zRLzJrpvCBQAviFqe/p0
5+DNwlPJY96FDLZrybHVtRrtYqUk6fYPgvceHZ6V0W861/s7hT3ijRNLmWIG7DoV
8aqz5uDwAgp1LYcQnQ6zbzqF5X1ppFOjhp7xnRQjCtdb3Wufn4lFobEYagsM1FFw
9+fpdQTUfw/vGmvIZtZ9e5YLvyNw5Sb2M2OoPb2PDkxrW3gm+UatbLUsoHRwY8gQ
oBBsOQ2t4A978q8oZdQO
=EA3p
-----END PGP SIGNATURE-----
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.